{"id":"CURL-CVE-2017-1000254","summary":"FTP PWD response parser out of bounds read","details":"libcurl may read outside of a heap allocated buffer when doing FTP.\n\nWhen libcurl connects to an FTP server and successfully logs in (anonymous or\nnot), it asks the server for the current directory with the `PWD` command. The\nserver then responds with a 257 response containing the path, inside double\nquotes. The returned path name is then kept by libcurl for subsequent uses.\n\nDue to a flaw in the string parser for this directory name, a directory name\npassed like this but without a closing double quote would lead to libcurl not\nadding a trailing null byte to the buffer holding the name. When libcurl would\nthen later access the string, it could read beyond the allocated heap buffer\nand crash or wrongly access data beyond the buffer, thinking it was part of\nthe path.\n\nA malicious server could abuse this fact and effectively prevent libcurl-based\nclients to work with it - the PWD command is always issued on new FTP\nconnections and the mistake has a high chance of causing a segfault.\n\nThe simple fact that this issue has remained undiscovered for this long could\nsuggest that malformed PWD responses are rare in benign servers.","aliases":["CVE-2017-1000254"],"modified":"2024-07-02T09:22:24Z","published":"2017-10-04T08:00:00Z","database_specific":{"CWE":{"desc":"Buffer Over-read","id":"CWE-126"},"package":"curl","URL":"https://curl.se/docs/CVE-2017-1000254.json","www":"https://curl.se/docs/CVE-2017-1000254.html","severity":"Medium","affects":"both","last_affected":"7.55.1"},"affected":[{"ranges":[{"type":"SEMVER","events":[{"introduced":"7.7"},{"fixed":"7.56.0"}]},{"type":"GIT","repo":"https://github.com/curl/curl.git","events":[{"introduced":"415d2e7cb7dd4f40b7c857f0fba23487dcd030a0"},{"fixed":"5ff2c5ff25750aba1a8f64fbcad8e5b891512584"}]}],"versions":["7.55.1","7.55.0","7.54.1","7.54.0","7.53.1","7.53.0","7.52.1","7.52.0","7.51.0","7.50.3","7.50.2","7.50.1","7.50.0","7.49.1","7.49.0","7.48.0","7.47.1","7.47.0","7.46.0","7.45.0","7.44.0","7.43.0","7.42.1","7.42.0","7.41.0","7.40.0","7.39.0","7.38.0","7.37.1","7.37.0","7.36.0","7.35.0","7.34.0","7.33.0","7.32.0","7.31.0","7.30.0","7.29.0","7.28.1","7.28.0","7.27.0","7.26.0","7.25.0","7.24.0","7.23.1","7.23.0","7.22.0","7.21.7","7.21.6","7.21.5","7.21.4","7.21.3","7.21.2","7.21.1","7.21.0","7.20.1","7.20.0","7.19.7","7.19.6","7.19.5","7.19.4","7.19.3","7.19.2","7.19.1","7.19.0","7.18.2","7.18.1","7.18.0","7.17.1","7.17.0","7.16.4","7.16.3","7.16.2","7.16.1","7.16.0","7.15.5","7.15.4","7.15.3","7.15.2","7.15.1","7.15.0","7.14.1","7.14.0","7.13.2","7.13.1","7.13.0","7.12.3","7.12.2","7.12.1","7.12.0","7.11.2","7.11.1","7.11.0","7.10.8","7.10.7","7.10.6","7.10.5","7.10.4","7.10.3","7.10.2","7.10.1","7.10","7.9.8","7.9.7","7.9.6","7.9.5","7.9.4","7.9.3","7.9.2","7.9.1","7.9","7.8.1","7.8","7.7.3","7.7.2","7.7.1","7.7"],"database_specific":{"vanir_signatures":[{"source":"https://github.com/curl/curl.git/commit/5ff2c5ff25750aba1a8f64fbcad8e5b891512584","signature_version":"v1","digest":{"threshold":0.9,"line_hashes":["286254694751148688912864821497092860115","96947602663829057975551440983659671124","273685436629778013443250789806304622431","44934727848842321714094324963688066688","248294709149021375624434591017383537111","21515633643524789552306447757787472238","71502088737471744317262307182524576422","269890212464196776088355131985252443947","204854095034877917032951724699516020990","39186142779810642089576624045216795830","18046018117266508128781588737635968867"]},"target":{"file":"lib/ftp.c"},"id":"CURL-CVE-2017-1000254-65960a8d","deprecated":false,"signature_type":"Line"},{"source":"https://github.com/curl/curl.git/commit/5ff2c5ff25750aba1a8f64fbcad8e5b891512584","signature_version":"v1","digest":{"length":7472,"function_hash":"270288669787882195390031752765857444517"},"target":{"file":"lib/ftp.c","function":"ftp_statemach_act"},"id":"CURL-CVE-2017-1000254-f9a324e8","deprecated":false,"signature_type":"Function"}],"source":"https://curl.se/docs/CURL-CVE-2017-1000254.json"}}],"schema_version":"1.7.3","credits":[{"name":"Max Dymond","type":"FINDER"},{"name":"Daniel Stenberg","type":"REMEDIATION_DEVELOPER"}]}